AWS Certified Solutions Architect Professional SAP-C02 Practice Question
Your company operates 500 Amazon EC2 instances running Amazon Linux 2 and Windows Server across five AWS accounts and three AWS Regions. The security team requires that all critical operating-system patches be installed automatically within 24 hours of release. Operations permits only a single 2-hour maintenance window every Sunday at 02:00 UTC for production servers. The cloud-architecture team wants a centralized, fully managed solution that enforces identical patch rules in every account and Region, provides a consolidated compliance view, and requires minimal custom code or ongoing administration. Which strategy will meet these requirements with the LEAST additional operational effort?
Deploy an Ansible Tower cluster on Amazon EC2 in each Region and register all instances. Schedule Ansible playbooks to apply critical patches during the Sunday maintenance window and forward compliance reports to Amazon CloudWatch Logs.
Implement an AWS CodePipeline in the management account that triggers nightly AWS CodeBuild jobs to bake new AMIs containing the latest patches. Replace Auto Scaling group launch templates in every application stack once a week using AWS CodeDeploy blue/green deployments.
Create an Amazon EventBridge rule in each account that forwards new CVE findings from AWS Security Hub to a cross-account AWS Lambda function. Have the function invoke the AWS-RunPatchBaseline SSM document through Systems Manager Run Command and coordinate timing with an AWS Step Functions state machine scheduled for 02:00 UTC on Sundays.
Use AWS Systems Manager Quick Setup to create an organization-wide Patch Manager policy. Configure a custom patch baseline that auto-approves critical and important updates after 0 days, set the installation schedule to 02:00 UTC on Sundays, and target all accounts and Regions through AWS Organizations.